clower_element

Members
  • Content count

    103
  • Joined

  • Last visited

About clower_element

  • Rank
    Advanced Member

Recent Profile Visitors

1,890 profile views
  1. Real Time Protection Layers turned OFF - Malware Protection OFF

    Thank you very much for your reply, Firefox . To your advice I've just installed the latest version and it seems to be working fine at the moment. I didn't install it over the top of my last version. I decided to use Malwarebytes clean tool first. Fingers crossed it stays working.
  2. Hi I've just turned my laptop on and got greeted by this warning from Malwarebytes version 3.1.2.1733, Component Package version 1.0.160, Update version 1.0.2681 I am not able to turn the Malware Protection back on. How do I turn it back ON, please?
  3. Hi I am wondering whether my exploit protection is working correctly? According to Nikhils expert advice In this thread "The mbae-test tool will not work for MB 3.0.6 if the Self protection is on" . In my MB 3.0.6 Self Protection is set to "ON" but when I run the mbae-test.exe it seem to be doing something because it is triggering the following pop up: Is this behaviour not normal for MB 3.0.6?
  4. MSE strange behaviour, infected?

    Hi Kevin Thank you very much for your reply. No apologies needed, glitches can happen. As I understand from your reply I shouldn't worry about MSE logs in event viewer. Glad to hear it. Just to put my mind at rest. May I ask whether there was anything sinister on my laptop at all or just nothing to worry about? Thank you P.S. Donation has been made on my behalf by one of my family members. Hope you received it.
  5. MSE strange behaviour, infected?

    Hi Kevin I have been keeping my eye on MSE since it was freshly installed last Friday. Here are my findings: The message “ Preliminary results show that malicious or potentially unwanted software might exist on your system. You can review detected items when the scan has completed” NO longer appears in the MSE interface whilst MSE is scanning. On one hand this seems like good news but on the other hand the (Event 5007) "Microsoft Antimalware Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware” still persists. This (Event 5007) makes me worried because it is not me who is doing any changes to trigger that in the event log. MSE also self updates before automatic scan starts with the latest definitions so I don't understand what is causing the "Event 2010" to retrieve additional signatures either? 15:14:42 "Event 2000,Microsoft Antimalware"- MSE updates with Antivirus signatures 15:14:42 "Event 2000, Microsoft Antimalware"- MSE updates with AntiSpyware signatures 15:14:44 "Event 1000, Microsoft Antimalware"- Scan started 15:16:09 "Event 19,Windows Update Client" - Windows successfully installed the definition update for MSE 15:26:56 "Event 2010,Microsoft Antimalware"- Dynamic Signature Service used to retrieve additional signatures to help protect your machine (Antivirus) 15:26:56 "Event 2010,Microsoft Antimalware" Dynamic Signature Service used to retrieve additional signatures to help protect your machine (AntiSpyware) 15:26:56 "Event 1001, Microsoft Antimalware"- Scan finished 15:26:57 Event 5007 “Microsoft Antimalware Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware”. Thank you
  6. MSE strange behaviour, infected?

    Hi Kevin I uninstalled MSE, restarted my laptop and installed fresh MSE from the link you provided. MSE seemed to install fine. It also performed its first self update and self scan automatically. I watched the scan run and this time for the duration of the whole scan the warning message DIDN'T resurface. Scan completed with no infections found. I'm going to monitor MSE scans for couple more days and come back (probably on Monday) to report if the dreaded warning message comes back again. I am secretly hoping it was just some kind of corruption with the old MSE at this point and nothing sinister lurking on my laptop. Thank you
  7. MSE strange behaviour, infected?

    I will uninstall MSE from Control Panel and reinstall it tomorrow. I will report how it went tomorrow. I have to go to bed now. Thank you for your help so far,Kevin. Very much appreciated.
  8. MSE strange behaviour, infected?

    Here are results of the GMER scan. I think it found something. Are these real threats or false positives? If they are false positives how do I release them back into my system. I still have got the Gmer Interface open. GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-23 22:15:47 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0006 465.76GB Running: mxm852ir.exe; Driver: C:\Users\MCNEELY\AppData\Local\Temp\uwtirkog.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076a27abb Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38e4dd08 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076a27abb (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38e4dd08 (not active ControlSet) ---- EOF - GMER 2.2 ---- Thank you
  9. MSE strange behaviour, infected?

    That image I posted that identifies this entry C:\MSOCache\All I actually took just as an example to document the existence of the warning message when my MSE was scanning. It is not an actual spot where MSE would stall and and that warning message appeared. It is even hard to tell whether the message comes up at exactly the same spot each time because I have got a funny suspicion I have seen the message appearing in different spots in the past few days. I don't know if this helps a bit but I have just ran MSE quick scan twice in a row to catch MSE in action in real time and used the print screen button on my laptop to document the first appearance of the warning message. Strangely this time on both occasions the item in question seems to be "schvost". Also I have to add I don't have a USB flash drive. and used the print screen button on Thank you
  10. MSE strange behaviour, infected?

    I stopped and changed those 2 Vaio entries to disabled. Then I ran MSE scan. The same problem with MSE persists. After the MSE scan I changed back those 2 Vaio entries I previously disabled back to "started". Thank you
  11. MSE strange behaviour, infected?

    Hi Kevin Strangely there are no VAIO Care entries listed under the Services. Thank you
  12. MSE strange behaviour, infected?

    Hi Kevin Thank you for your reply again. I followed step by step instructions from this link https://support.microsoft.com/en-gb/kb/929135 you kindly provided and set windows up for clean boot mode. Whilst in the clean boot mode I launched MSE and ran a quick scan. MSE behaved exactly the same as it currently behaves in my normal mode. Again it showed exactly the same warning message in its interface whilst it was running a scan and when it finished its scan there were no detections listed under MSE history tab. One thing I would like to mention. MSE was about half way into scanning and suddenly UAC popped up asking me whether I wanted (I think it was Vaio Care, can’t be sure 100%) to make changes to my computer. I had no idea how to deal with this in the clean boot mode (whether to allow it or not). I just closed this pop up window and soon after MSE finished scanning I left this mode and reset my laptop to start normally. Everything loaded back to normal as far as I could see except MSE icon was missing from the system tray next to the clock…. I had to kill msseces.exe process in the task manager to bring the icon back. I am not really sure what to do next with my findings. I am having one of those moments not fully understanding perfectly good set of instructions. Thank you
  13. MSE strange behaviour, infected?

    Hi Kevin Thank you very much for your reply. This is what I see when I open History Tab on MSE. There are no detected items under Quarantine/Allowed and All Items. I also ran the the Rogue Killer as you requested. Obviously I am not able to read the logs myself but is this detection ... "[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [xxxx://www.docrafts.com/] -> Found" a false positive? I set this website "docrafts.com" as Google Homepage myself ages ago. Or is the site not to be trusted? I tried to attach the RK log but the forum gave me an error code: "There was a problem processing the uploaded file.-200" so I am copy/pasting it instead. RogueKiller V12.10.1.0 (x64) [Mar 20 2017] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : MCNEELY [Administrator] Started from : C:\Program Files\RogueKiller\RogueKiller64.exe Mode : Scan -- Date : 03/22/2017 12:28:16 (Duration : 00:37:06) ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 0 ¤¤¤ ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 1 ¤¤¤ [PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [https://www.docrafts.com/] -> Found ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: ST9500325AS +++++ --- User --- [MBR] 82c102291baac9b7855b8cc9293298a2 [BSP] 85d35a64660348e2957c1a36a0234f17 : Windows Vista/7/8|VT.Unknown MBR Code Partition table: 0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13623 MB 1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 27901952 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 28106752 | Size: 463215 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK User = LL2 ... OK Thank you
  14. MSE strange behaviour, infected?

    Hi Kevin Thank you for your instructions. I followed them. Here is the Fixlog: Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017 Ran by MCNEELY (21-03-2017 15:25:05) Run:1 Running from C:\Users\MCNEELY\Desktop Loaded Profiles: MCNEELY (Available Profiles: MCNEELY) Boot Mode: Normal ============================================== fixlist content: ***************** Start CreateRestorePoint: CloseProcesses: CHR Extension: (Chrome Media Router) - C:\Users\MCNEELY\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-11] S3 catchme; \??\C:\ComboFix\catchme.sys [X] S3 semav6msr64; \??\C:\Windows\system32\drivers\semav6msr64.sys [X] S3 semav6thermal64ro; \??\C:\Windows\system32\drivers\semav6thermal64ro.sys [X] FirewallRules: [{640BEBBD-8664-4167-A781-6A6FB2D7039D}] => (Allow) svchost.exe FirewallRules: [{CEFFC1E8-7BAE-41E3-9129-C6AE00C67EC9}] => (Allow) LPort=2869 FirewallRules: [{0AF7EAF7-2CE0-403D-8652-0A5AD8E925C6}] => (Allow) LPort=1900 CMD: ipconfig /flushdns Hosts: EmptyTemp: end ***************** Restore point was successfully created. Processes closed successfully. C:\Users\MCNEELY\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully HKLM\System\CurrentControlSet\Services\catchme => key removed successfully catchme => service removed successfully HKLM\System\CurrentControlSet\Services\semav6msr64 => key removed successfully semav6msr64 => service removed successfully HKLM\System\CurrentControlSet\Services\semav6thermal64ro => key removed successfully semav6thermal64ro => service removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{640BEBBD-8664-4167-A781-6A6FB2D7039D} => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CEFFC1E8-7BAE-41E3-9129-C6AE00C67EC9} => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0AF7EAF7-2CE0-403D-8652-0A5AD8E925C6} => value removed successfully ========= ipconfig /flushdns ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= C:\Windows\System32\Drivers\etc\hosts => moved successfully Hosts restored successfully. =========== EmptyTemp: ========== BITS transfer queue => 8388608 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 28070926 B Java, Flash, Steam htmlcache => 506 B Windows/system/drivers => 177135792 B Edge => 0 B Chrome => 27053838 B Firefox => 0 B Opera => 0 B Temp, IE cache, history, cookies, recent: Users => 0 B Default => 0 B Public => 0 B ProgramData => 0 B systemprofile => 128 B systemprofile32 => 128 B LocalService => 0 B NetworkService => 6832276 B MCNEELY => 103222933 B RecycleBin => 291038848 B EmptyTemp: => 612 MB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 15:25:50 ==== After I was done with the Fixlist.txt I went to test MSE which is the main concern of mine and the cause why I started this thread in the first place. Sadly, it looks like nothing has changed and the same problem with MSE persists. First Quick Manual Scan finished without the dreaded message but an hour or so later I performed Full Manual Scan and the warning message“ Preliminary results show that malicious or potentially unwanted software might exist on your system. You can review detected items when the scan has completed” appeared AGAIN. Then I ran another Quick Manual scan and it presented the same dreaded message too. Of course nothing is ever detected. Pics of MSE in scanning mode and couple event viewer logs, one when it completes the scan and one more log straight after it. I really have no clue what is causing this. Is there anything else we could try? Thanks
  15. MSE strange behaviour, infected?

    Here are the rest of the requested logs. # AdwCleaner v6.044 - Logfile created 21/03/2017 at 10:49:18 # Updated on 28/02/2017 by Malwarebytes # Database : 2017-03-20.1 [Server] # Operating System : Windows 7 Home Premium Service Pack 1 (X64) # Username : MCNEELY - MCNEELY-VAIO # Running from : C:\Users\MCNEELY\Desktop\AdwCleaner.exe # Mode: Clean # Support : https://www.malwarebytes.com/support ***** [ Services ] ***** ***** [ Folders ] ***** [-] Folder deleted: C:\Users\MCNEELY\AppData\LocalLow\HPAppData [-] Folder deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Auslogics ***** [ Files ] ***** ***** [ DLL ] ***** ***** [ WMI ] ***** ***** [ Shortcuts ] ***** ***** [ Scheduled Tasks ] ***** ***** [ Registry ] ***** [-] Key deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C} ***** [ Web browsers ] ***** [-] [C:\Users\MCNEELY\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: uk.ask.com ************************* :: "Tracing" keys deleted :: Winsock settings cleared ************************* C:\AdwCleaner\AdwCleaner[C0].txt - [1164 Bytes] - [21/03/2017 10:49:18] C:\AdwCleaner\AdwCleaner[S0].txt - [1415 Bytes] - [21/03/2017 10:10:15] ########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1310 Bytes] ########## --------------------------------------------------------------------------------------- Microsoft Windows Malicious Software Removal Tool v5.44, January 2017 (build 5.44.13400.0) Started On Wed Jan 11 11:28:48 2017 Engine: 1.1.13303.0 Signatures: 1.233.3409.0 Run Mode: Scan Run From Windows Update Results Summary: ---------------- No infection found. Successfully Submitted Heartbeat Report Microsoft Windows Malicious Software Removal Tool Finished On Wed Jan 11 11:31:44 2017 Return code: 0 (0x0) --------------------------------------------------------------------------------------- Microsoft Windows Malicious Software Removal Tool v5.45, February 2017 (build 5.45.13501.0) Started On Fri Feb 24 14:59:53 2017 Engine: 1.1.13407.0 Signatures: 1.235.1858.0 Run Mode: Scan Run From Windows Update Results Summary: ---------------- No infection found. Successfully Submitted Heartbeat Report Microsoft Windows Malicious Software Removal Tool Finished On Fri Feb 24 15:02:36 2017 Return code: 0 (0x0) --------------------------------------------------------------------------------------- Microsoft Windows Malicious Software Removal Tool v5.46, March 2017 (build 5.46.13601.0) Started On Wed Mar 15 13:33:05 2017 Engine: 1.1.13504.0 Signatures: 1.237.571.0 Run Mode: Scan Run From Windows Update Results Summary: ---------------- No infection found. Successfully Submitted MAPS Report Successfully Submitted Heartbeat Report Microsoft Windows Malicious Software Removal Tool Finished On Wed Mar 15 13:35:44 2017 Return code: 0 (0x0) --------------------------------------------------------------------------------------- Microsoft Windows Malicious Software Removal Tool v5.46, March 2017 (build 5.46.13601.0) Started On Tue Mar 21 11:12:38 2017 Engine: 1.1.13504.0 Signatures: 1.237.571.0 Run Mode: Interactive Graphical Mode Results Summary: ---------------- No infection found. Successfully Submitted Heartbeat Report Microsoft Windows Malicious Software Removal Tool Finished On Tue Mar 21 11:17:02 2017 Return code: 0 (0x0) FRST.txt Addition.txt